Blame SOURCES/0418-video-fb-video_fb-Fix-possible-integer-overflow.patch

9723a8
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
9723a8
From: Darren Kenny <darren.kenny@oracle.com>
9723a8
Date: Fri, 4 Dec 2020 14:51:30 +0000
9723a8
Subject: [PATCH] video/fb/video_fb: Fix possible integer overflow
9723a8
9723a8
It is minimal possibility that the values being used here will overflow.
9723a8
So, change the code to use the safemath function grub_mul() to ensure
9723a8
that doesn't happen.
9723a8
9723a8
Fixes: CID 73761
9723a8
9723a8
Signed-off-by: Darren Kenny <darren.kenny@oracle.com>
9723a8
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
9723a8
---
9723a8
 grub-core/video/fb/video_fb.c | 8 +++++++-
9723a8
 1 file changed, 7 insertions(+), 1 deletion(-)
9723a8
9723a8
diff --git a/grub-core/video/fb/video_fb.c b/grub-core/video/fb/video_fb.c
9723a8
index 1c9a138dcdc..ae6b89f9aea 100644
9723a8
--- a/grub-core/video/fb/video_fb.c
9723a8
+++ b/grub-core/video/fb/video_fb.c
9723a8
@@ -1537,7 +1537,13 @@ doublebuf_pageflipping_init (struct grub_video_mode_info *mode_info,
9723a8
 			     volatile void *page1_ptr)
9723a8
 {
9723a8
   grub_err_t err;
9723a8
-  grub_size_t page_size = mode_info->pitch * mode_info->height;
9723a8
+  grub_size_t page_size = 0;
9723a8
+
9723a8
+  if (grub_mul (mode_info->pitch, mode_info->height, &page_size))
9723a8
+    {
9723a8
+      /* Shouldn't happen, but if it does we've a bug. */
9723a8
+      return GRUB_ERR_BUG;
9723a8
+    }
9723a8
 
9723a8
   framebuffer.offscreen_buffer = grub_malloc (page_size);
9723a8
   if (! framebuffer.offscreen_buffer)